New York Takes on Credential Stuffing and Passwords
In January, New York State Attorney General Letitia James announced the results of an investigation into credential stuffing, which is defined as:
“repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services … It relies on the widespread practice of reusing passwords as, chances are, a password used on one website was also used on another.
In a typical credential stuffing attack, an attacker may submit hundreds of thousands, or even millions, of login attempts using automated, credential-stuffing software and lists of stolen credentials downloaded from the dark web or hacking forums. Although only a small percentage of these attempts will succeed, through the sheer volume of login attempts, a single attack can nevertheless yield thousands of compromised accounts.”
The investigation found that over one million accounts were compromised in cyberattacks at 17 well-known companies, including those in the online retail, restaurant, and food delivery sectors. Not a surprising outcome and it's been reported that credential stuffing will increase over the coming weeks.
According to the Attorney General’s alert, consumers are advised to strengthen their password security as follows:
Never reuse passwords
Reusing passwords may be easy, but it comes at the cost of weakened security.
Use a password manager
The easiest way to solve the challenge of remembering unique passwords. There are password managers that offer a fully featured free version across unlimited logins, passwords, and devices; are open source; and benefit from the constant feedback of a vibrant and engaged community of users.
Enable two-factor authentication
This one extra step makes a big difference.
Check regularly for unauthorized activities
Don’t rely on companies to contact you. Be proactive about monitoring unauthorized activities.
Sign up for updates
Take suspicious activity seriously
Very rarely will something happen because of a “glitch.” Don’t brush off strange device or account behavior and unexpected account management emails. Change your password - or better yet, deploy a password manager to help you manage your affairs.
For a more detailed explanation of each recommendation, please view the alert.
The Attorney General’s clear and definitive guidance can help the average user adopt password security best practices. Clear directions like these are hard to come by - even from institutions that should know better, such as federal government agencies.
In early February, Bitwarden unveiled its State of Password Security: A report and assessment of security advice from U.S. Federal Agencies. The report seeks to engage and educate everyone who uses passwords on the best practices coming from the federal government, including places where there is room for improvement. It ranks agencies based on their adherence to certain password security criteria.
Recommends use of a password manager
Calls out importance of strong passwords
Cites need for 2FA/MFA to further support password security
Overall security advice is up-to-date and adheres to NIST guidelines
Lays out password security recommendations in a clear, digestible, and easy-to-find manner
While agencies like the National Institute of Standards and Technology (NIST) fared very well, others such as the White House, the Department of Homeland Security, and the FBI, are less structured. Given the sometimes disjointed nature of government-issued password tips, the New York state Attorney General's common sense approach is refreshing and notable. It’s reminiscent of another standout agency, the Federal Trade Commission (FTC).
Have some thoughts on password policy advice from local, state, or federal agencies? Follow Bitwarden on Twitter to let us know.